File name:

20250411.exe

Full analysis: https://app.any.run/tasks/725711f2-b170-4b22-8c0e-84800b9f544a
Verdict: Malicious activity
Analysis date: April 15, 2025, 01:39:12
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
dbutil-2-3-sys
vuln-driver
upx
ip-check
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

2354D666F3982973AE4DFD5A2259E721

SHA1:

15B0A516EFD020D48BDD0D6E8F1F75E98C58B727

SHA256:

4CDB9ACD3DBC3BDACE6ECA1509F8E88BB7136905D94017576544ECAD67A3B900

SSDEEP:

98304:GMuo52K/wodSAPvSYSq5AWEA4OeEC9wdx1ptiLdCcSXs7xgaSqSJ5SGIgH/DZBFy:ND+7BUC8OCPfUCjHM2LT4awR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 20250411.exe (PID: 5116)
      • 20250411.exe (PID: 5720)

    • Creates or modifies Windows services

      • 6IIfVJ.exe (PID: 5216)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 6132)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 6132)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 20250411.exe (PID: 5720)

    • Starts a Microsoft application from unusual location

      • 20250411.exe (PID: 5116)
      • 20250411.exe (PID: 5720)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 1452)

    • Executable content was dropped or overwritten

      • 20250411.exe (PID: 5720)
      • 6IIfVJ.exe (PID: 5216)

    • Starts CMD.EXE for commands execution

      • 20250411.exe (PID: 5720)
      • 6IIfVJ.exe (PID: 5216)

    • Uses ROUTE.EXE to modify routing table

      • cmd.exe (PID: 4112)

    • Restarts service on failure

      • sc.exe (PID: 5968)

    • Executing commands from a ".bat" file

      • 6IIfVJ.exe (PID: 5216)

    • Reads security settings of Internet Explorer

      • 20250411.exe (PID: 5720)

    • The process executes VB scripts

      • 20250411.exe (PID: 5720)

    • Creates file in the systems drive root

      • all.exe (PID: 5548)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 6132)

  • INFO

    • The sample compiled with english language support

      • 20250411.exe (PID: 5720)

    • Disables trace logs

      • 20250411.exe (PID: 5720)

    • Reads the computer name

      • 20250411.exe (PID: 5720)
      • 6IIfVJ.exe (PID: 5216)

    • Deletes a route via ROUTE.EXE

      • ROUTE.EXE (PID: 300)

    • Reads the machine GUID from the registry

      • 20250411.exe (PID: 5720)

    • Checks supported languages

      • 6IIfVJ.exe (PID: 5216)
      • 20250411.exe (PID: 5720)
      • all.exe (PID: 5548)
      • all.exe (PID: 3900)

    • Adds a route via ROUTE.EXE

      • ROUTE.EXE (PID: 5116)

    • Creates files in the program directory

      • 6IIfVJ.exe (PID: 5216)

    • The sample compiled with chinese language support

      • 6IIfVJ.exe (PID: 5216)

    • Process checks computer location settings

      • 20250411.exe (PID: 5720)

    • Checks proxy server information

      • slui.exe (PID: 6572)

    • Reads the software policy settings

      • slui.exe (PID: 6572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:11 02:40:09+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 668672
InitializedDataSize: 29746688
UninitializedDataSize: -
EntryPoint: 0x7dda4
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 2.3.5064.756
ProductVersionNumber: 2.3.5064.756
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileVersion: 2.3.5064.756
ProductVersion: 2.3.5064.756
LegalCopyright: © Microsoft Corporation. All rights reserved.
CompanyName: Microsoft Corporation
FileDescription: Microsoft (R) Contacts Import Tool
InternalName: svchost.exe
OriginalFileName: svchost.exe
ProductName: Microsoft® Windows® Operating System
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
162
Monitored processes
21
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 20250411.exe cmd.exe no specs conhost.exe no specs route.exe no specs 6iifvj.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs route.exe no specs reg.exe no specs sc.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs wscript.exe no specs all.exe no specs all.exe no specs slui.exe 20250411.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300route delete 0.0.0.0C:\Windows\SysWOW64\ROUTE.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Route Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\route.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1040ping 127.0.0.1C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1056reg query "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v netsvcsC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1132cmd.exe /c reg query "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v netsvcsC:\Windows\System32\cmd.exe6IIfVJ.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1452 /c route delete 0.0.0.0C:\Windows\SysWOW64\cmd.exe20250411.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1676\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2600\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2772C:\WINDOWS\system32\cmd.exe /c C:\Windows\System32\\Delete00.batC:\Windows\SysWOW64\cmd.exe6IIfVJ.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3900C:\all.exe C:\2.sys 2C:\all.execmd.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\all.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ntoskrnl.exe
4068\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
5 943
Read events
5 926
Write events
17
Delete events
0

Modification events

(PID) Process:(5720) 20250411.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5720) 20250411.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5720) 20250411.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5720) 20250411.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5720) 20250411.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5720) 20250411.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5720) 20250411.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5216) 6IIfVJ.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Svchost
Operation:writeName:netsvcs
Value:
FastUserSwitchingCompatibility
(PID) Process:(5216) 6IIfVJ.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility
Operation:writeName:Description
Value:
¼à²âºÍ¼àÊÓÐÂÓ²¼þÉ豸²¢×Ô¶¯¸üÐÂÉ豸Çý.
(PID) Process:(5216) 6IIfVJ.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility
Operation:writeName:DisplayName
Value:
Microsoft Device Process
Executable files
2
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
572020250411.exeC:\Users\admin\Desktop\tem.vbstext
MD5:496AC06211D24951FAFEDF5625B98B22
SHA256:AA38B74F45F32DE83F239EAF4874340DB02759E874D9A770C5CADA4106EFAF00
52166IIfVJ.exeC:\Windows\SysWOW64\Delete00.battext
MD5:2C92ED6ACCCAFAD41692040D1F52882B
SHA256:A97432C2329158B4D5CF89A66668AE5797F251038E997E82E94D918C2A8EEA1D
572020250411.exeC:\Users\admin\Documents\6IIfVJ.exeexecutable
MD5:06025C0E55774629942A81C223117389
SHA256:C9CE1E625FDAFD0FD5CA819321926D3CD3217251D6121AF583AA30B448A98C14
52166IIfVJ.exeC:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlpexecutable
MD5:D1A016D3D4133E3EF25C6D87BF67C7B0
SHA256:5AB64735CDCA40A901210297E76CF22295F0E50A31717A5EAE0ACCBE58874FCE
572020250411.exeC:\Users\admin\Documents\conf.initext
MD5:FC4E31EC9BFF19C83EF3249D26AF0A57
SHA256:AB46F02AF4D3258C4B322A57BDA2B7A2394170394A15DDE2FA05F5B4C16687A4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
53
DNS requests
18
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7012
svchost.exe
GET
301
138.113.101.15:80
http://www.ip138.com/
unknown
whitelisted
7012
svchost.exe
GET
200
163.171.130.131:80
http://2025.ip138.com/
unknown
unknown
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
2984
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2984
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
2984
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
13.95.31.18:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
2984
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2984
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7012
svchost.exe
154.82.93.8:5200
TERAEXCH
HK
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
login.live.com
  • 20.190.160.131
  • 20.190.160.20
  • 20.190.160.17
  • 40.126.32.134
  • 40.126.32.138
  • 40.126.32.74
  • 40.126.32.72
  • 40.126.32.68
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
settings-prod-neu-3.northeurope.cloudapp.azure.com
  • 4.231.128.59
whitelisted
www.ip138.com
  • 138.113.101.15
  • 163.171.130.131
  • 138.113.149.153
whitelisted
2025.ip138.com
  • 163.171.130.131
  • 163.171.130.132
unknown
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
7012
svchost.exe
Misc activity
ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
20250411.exe